Versions Compared

Old Version 1

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 2

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
 sh ./gen-shib.sh

and answer its prompts, which will hopefully be clear.  Remember that the certificate it wants should be enabled for client as well as server use.

The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed.  The  directory also contains a shibd init script; shibd is a daemon that must be running, so should be started at boot time.

The Shibboleth Apache module logs by default to $prefix/var/log/httpd/native.log.  This file must be writable by Apache, which may require that you create it manually and set its ownership and/or permissions to allow write access by the user Apache is configured to run under.  You may also choose to change the location of the file, by modifying the log4j.appender.native_log.fileName setting in $prefix/etc/shibboleth/native.logger.

You will probably also want to customize the error pages and support contact information listed in the Errors element in $prefix/etc/shibboleth/shibboleth.xml (search for "You should customize these pages!"), e.g.:

...

  • session
        displayed if a session cannot be created after successful authentication,
        for example if shibd is not running. In a standard configuration, you can
        force this page to be displayed by visiting the server's /Shibboleth.sso location, e.g.:
        https://mv-ezproxy-com.ezproxyberklee.flo.org/Shibboleth.ssoImage Removed
  • metadata
        displayed in certain cases where there is no valid metadata
        for an identity provider. This should not happen using our
        standard configuration; it should only be possible when
        using the Artifact profile, or "lazy sessions", and there
        is a configuration problem.  You can force the page to be
        displayed by visiting:
        https://mv-ezproxy-com.ezproxyberklee.flo.org/Shibboleth.sso?providerId=NoSuchIdPImage Removed
  • rm
        displayed when an exception occurs when exporting assertions into
        request headers.  This indicates a software problem, and should
        not happen.
  • access
        displayed for access control failures.  This should only
        happen if you have access control directives in the Apache
        configuration for your Shibboleth-protected content.  You
        can force the page to be displayed by adding an access
        control directive that is certain to fail, for example
        "require NoSuchAlias" (remember to remove this configuration
        when you have completed testing).
  • ssl
        displayed when a POST is attempted using http instead of https,
        and RedirectToSSL is in effect.  This should not happen on a
        properly configured server.